Problems with fallback and JSON

[mikelaz]

Hi Team,

We have recently had several problems with the integration of a new source that send us JSON events into a SYSLOG messages.

We created an specific configuration file for this source but we detected that the configuration was not being applied correctly.
After some troubleshooting and investigation we discovered that the problem came from the fallback file for the JSON format.

In the package/etc/conf.d/conflib/fallback/app-fallback-json.conf file we had to change following lines from:

application app-fallback-json[sc4s-syslog] {
	filter {
        "${PROGRAM}" eq ""
        and message('{' type(string) flags(prefix));
    };	
    parser { app-fallback-json(); };
};

To:

application app-fallback-json[fallback] {
	filter {
        "${PROGRAM}" eq ""
        and message('{' type(string) flags(prefix));
    };	
    parser { app-fallback-json(); };
};

Changing [sc4s-syslog] to [fallback] to avoid the app-fallback-json.conf file coming into play after our dedicated [sc4s-syslog] configuration.

We think that the code of the app-fallback-json.conf should point to [fallback] instead of [sc4s-syslog], but just in case there is something that we are not seeing, we ask for your oppinion.

Thanks for your help.

Best regards

[rjha-splunk]

Thanks for pointing out , we will check this.

[rjha-splunk]

Can you share a sample message and what is your syslog local configuration, changing topic can have unnecessary side effects, we wanted to look into this use case in details before changing the main code.

[chipzzz]

Is there anyway to ingest json logs? They seemed to always be dropped by sc4s.

[mstopa-splunk]

Closing this issue due to the lack of a sample message. Please feel free to open a new one if needed.